[House Report 118-859]
[From the U.S. Government Publishing Office]
118th Congress } { Report
HOUSE OF REPRESENTATIVES
2d Session } { 118-859
======================================================================
STRENGTHENING CYBER RESILIENCE AGAINST STATE-SPONSORED THREATS ACT
_______
December 10, 2024.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. Green of Tennessee, from the Committee on Homeland Security,
submitted the following
R E P O R T
[To accompany H.R. 9769]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security, to whom was referred
the bill (H.R. 9769) to ensure the security and integrity of
United States critical infrastructure by establishing an
interagency task force and requiring a comprehensive report on
the targeting of United States critical infrastructure by
People's Republic of China state-sponsored cyber actors, and
for other purposes, having considered the same, reports
favorably thereon without amendment and recommends that the
bill do pass.
CONTENTS
Page
Purpose and Summary.............................................. 2
Background and Need for Legislation.............................. 2
Hearings......................................................... 3
Committee Consideration.......................................... 4
Committee Votes.................................................. 4
Committee Oversight Findings..................................... 4
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and
Tax Expenditures............................................... 4
Federal Mandates Statement....................................... 8
Duplicative Federal Programs..................................... 8
Statement of General Performance Goals and Objectives............ 8
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits....................................................... 8
Advisory Committee Statement..................................... 8
Applicability to Legislative Branch.............................. 8
Section-by-Section Analysis of the Legislation................... 8
PURPOSE AND SUMMARY
H.R. 9769, the ``Strengthening Cyber Resilience Against
State-Sponsored Threats Act,'' directs the Secretary of
Homeland Security, acting through the Director of the
Cybersecurity and Infrastructure Security Agency (CISA), in
consultation with the Attorney General, the Director of the
Federal Bureau of Investigation (FBI), and the heads of
appropriate Sector Risk Management Agencies (SRMAs), to
establish an interagency task force to facilitate coordination
to respond to the cybersecurity threat posed by state-sponsored
cyber actors of the People's Republic of China (PRC).
Additionally, over a six-year period, the task force will be
required to submit an annual report to the appropriate
congressional committees on the targeting of United States
critical infrastructure by PRC state-sponsored cyber actors.
BACKGROUND AND NEED FOR LEGISLATION
In recent years, the PRC has significantly escalated its
malicious cyber operations targeting the United States. Whether
it is compromising power grids or water systems, infiltrating
telecommunications infrastructure, or probing vulnerabilities
in financial networks, the PRC's state-sponsored cyber
operations continue to pose a direct threat to U.S. national
security.\1\ The PRC's state-sponsored cyber actors, including
Volt Typhoon, have not only refined their techniques but have
also broadened their objectives, encompassing intelligence
gathering, economic espionage, and the capability to conduct
damaging cyberattacks in times of geopolitical tension.\2\
---------------------------------------------------------------------------
\1\Max Colchester and Daniel Michaels, ``Scale of Chinese Spying
Overwhelms Western Governments,'' WSJ, (Oct. 14, 2024), https://
www.wsj.com/politics/national-security/scale-of-chinese-spying-
overwhelms-western-governments-6ae644d2?mod=china_more_article_pos1.
\2\Christopher Wray, Director, Federal Bureau of Investigation. The
CCP Cyber Threat to the American Homeland and National Security.
Testimony before the House Select Committee on China, (Jan. 24, 2024).
---------------------------------------------------------------------------
Despite widespread recognition of the threat posed by PRC
state-sponsored cyber actors, the U.S. government's response
would benefit from more formalized coordination. Federal
agencies such as the Department of Homeland Security (DHS),
CISA, and the FBI have all made efforts to detect and mitigate
the impacts of these cyber operations but lack a formalized
mechanism for coordinating. These agencies have often lacked
the resources and coordination necessary to fully understand
the scope of the threat, share intelligence in real-time, and
deploy effective countermeasures. A more robust, better-
resourced interagency effort to defend against the PRC, which
has grown bolder in its efforts to pre-position on U.S.
critical infrastructure of disruptive or destructive attacks.
For instance, the PRC state-sponsored cyber actor known as
Volt Typhoon has specialized in stealthy, long-term espionage
operations that target key critical infrastructure sectors such
as energy, telecommunications, transportation, and water
systems. Volt Typhoon uses ``living off the land'' techniques,
which has enabled the threat actor to go undetected within U.S.
critical infrastructure systems for multiple years.\3\
Additionally, Volt Typhoon has pre-positioned itself to move
laterally--and easily--between information technology (IT) and
operational technology (OT) networks to cause disruption in the
event of a conflict with the United States.\4\
---------------------------------------------------------------------------
\3\CISA. PRC State-Sponsored Actors Compromise and Maintain
Persistent Access to U.S. Critical Infrastructure. Cybersecurity
Advisory (Feb. 07, 2024), https://www.cisa.gov/news-events/
cybersecurity-advisories/aa24-038a.
\4\Id.
---------------------------------------------------------------------------
Volt Typhoon's success to date is due in part to the vast
and interconnected nature of U.S. networks, and vulnerabilities
inherent in often outdated infrastructure. Today, most U.S.
critical infrastructure is owned or operated by the private
sector, meaning strong public-private partnerships are
imperative for ensuring its resiliency.\5\ Further, this
creates challenges for coordinating an effective U.S.
government response. Given the number of government
stakeholders that are involved--including CISA, the FBI, the
intelligence community, and SRMAs--the U.S. government must
streamline its own information sharing to work effectively with
private sector owners and operators.
---------------------------------------------------------------------------
\5\Tina Won Sherman, Director, Homeland Security and Justice.
Critical Infrastructure Protection: DHS Actions Urgently Needed to
Better Protect the Nation's Critical Infrastructure. Testimony before
the Subcommittee on Cybersecurity, Infrastructure Protection, and
Innovation, Committee on Homeland Security, House of Representatives,
(Apr. 06, 2022).
---------------------------------------------------------------------------
The U.S. needs to accelerate its efforts to address PRC
state sponsored cyber threats. Given the magnitude of the PRC
cyber threat, there is an urgent need for legislation that
establishes an interagency task force dedicated solely to
addressing the activities of PRC state-sponsored cyber actors.
Such a task force would build on existing efforts to provide
the structure and authority necessary to coordinate a
comprehensive U.S. response. By bringing together
representatives from CISA, the FBI, and other relevant
entities, the task force would ensure that intelligence is
shared effectively, vulnerabilities are identified and
mitigated, and proactive strategies are developed to protect
U.S. interests.
To ensure accountability and transparency, the task force
would be required to submit an annual comprehensive report to
the appropriate congressional committees. This report will
provide detailed information on the targeting of U.S. critical
infrastructure by PRC cyber actors, including data on the
number of incidents, the sectors affected, and the nature of
the attacks. Additionally, the report will outline the steps
taken by the task force to mitigate these threats, as well as
any challenges or obstacles encountered. By mandating this
annual report, Congress will ensure that the task force remains
focused on its mission, while also providing lawmakers with the
information necessary to adapt and refine U.S. cybersecurity
policy in response to the evolving threat landscape.
The annual report would also serve as a critical tool for
enhancing public awareness of the threat posed by PRC cyber
actors. While much of the task force's work would remain
classified, the report will include unclassified sections that
inform the American public and private sector stakeholders
about the risks to U.S. critical infrastructure and the steps
taken to address them. This would promote greater collaboration
between the government and the private sector.
HEARINGS
The Committee held the following hearing in the 118th
Congress that informed H.R. 9769:
On June 27, 2024, the Subcommittee on Cybersecurity and
Infrastructure Protection held a hearing entitled, ``Sector
Down: Ensuring Critical Infrastructure Resilience.'' Members
heard testimony from the following witnesses: Mr. Frank
Cilluffo, Director of the McCrary Institute for Cyber and
Critical Infrastructure Security, Auburn University; Mr.
Matthew McCabe, Managing Director of Cyber Broking, Guy
Carpenter & Company LLC; Ms. Kimberly Denbow, Vice President of
Security and Operations, American Gas Association; and Mr. Jack
Kudale, Chief Executive Officer, Cowbell.
COMMITTEE CONSIDERATION
The Committee met on Wednesday, September 25, 2024, a
quorum being present, to consider H.R. 9769 and ordered the
measure to be favorably reported to the House.
COMMITTEE VOTES
Clause 3(b) of rule XIII requires the Committee to list the
recorded votes on the motion to report legislation and
amendments thereto.
No recorded votes were requested during consideration of
H.R. 9769.
COMMITTEE OVERSIGHT FINDINGS
In compliance with clause 3(c)(1) of rule XIII, the
Committee advises that the findings and recommendations of the
Committee, based on oversight activities under clause 2(b)(1)
of rule X, are incorporated in the descriptive portions of this
report.
CONGRESSIONAL BUDGET OFFICE ESTIMATE, NEW BUDGET AUTHORITY, ENTITLEMENT
AUTHORITY, AND TAX EXPENDITURES
With respect to the requirements of clause 3(c)(2) of rule
XIII and section 308(a) of the Congressional Budget Act of
1974, and with respect to the requirements of clause 3(c)(3) of
rule XIII and section 402 of the Congressional Budget Act of
1974, the Committee adopts as its own the estimate of any new
budget authority, spending authority, credit authority, or an
increase or decrease in revenues or tax expenditures contained
in the cost estimate prepared by the Director of the
Congressional Budget Office.
The Congressional Budget Act of 1974 requires the
Congressional Budget Office, to the extent practicable, to
prepare estimates of the budgetary effects of legislation
ordered reported by Congressional authorizing committees. In
order to provide the Congress with as much information as
possible, the attached table summarizes information about the
estimated direct spending and revenue effects of some of the
legislation that has been ordered reported by the House
Committee on Homeland Security during the 118th Congress. The
legislation listed in this table generally would have small
effects, if any, on direct spending or revenues, CBO estimates.
Where possible, the table also provides information about the
legislation's estimated effects on spending subject to
appropriation and on intergovernmental and private-sector
mandates as defined in the Unfunded Mandates Reform Act.
ESTIMATED BUDGETARY EFFECTS AND MANDATES INFORMATION
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Spending
Last Budget Direct Revenues, subject to Pay-as-you-go Budgetary
Bill number Title Status action function spending, 2025-2034 appropriation, procedures effects Mandates Contact
2025-2034 2025-2029 apply? after 2034
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
H.R. 3169...... Identifying Ordered reported...... 09/25/24 050 0 0 Not estimated No No Yes Aldo Prosperi
Adversarial Threats
at our Ports Act.
H.R. 3169 would require the Department of Homeland Security to determine whether cybersecurity vulnerabilities exist in the software or hardware of foreign cranes operating in
U.S. ports and to remediate any such vulnerabilities. CBO estimates that enacting H.R. 3169 would not affect direct spending or revenues. CBO has not estimated the bill's
effects on spending subject to appropriation. The bill would impose intergovernmental and private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA).
Because the cost of the mandates would depend on regulations yet to be published, CBO cannot determine whether the cost of compliance would exceed the annual threshold for
intergovernmental and private-sector mandates ($100 million and $200 million in 2024, respectively, adjusted annually for inflation).
H.R. 4406...... DHS Basic Training Ordered reported...... 09/25/24 750 0 0 Not estimated No No No Jeremy Crimm
Accreditation
Improvement Act of
2023.
H.R. 4406 would require the Department of Homeland Security (DHS) to report to the Congress annually on whether its basic training programs are accredited by an independent
organization. The bill also would require DHS to carry out research and development to enhance the preparedness of state, local, tribal, and territorial law enforcement
agencies to respond to terrorist threats. CBO estimates that enacting H.R. 4406 would not affect direct spending or revenues. CBO has not estimated the bill's effects on
spending subject to appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.
H.R. 5729...... A bill to prohibit the Ordered reported...... 09/25/24 750 0 0 Not estimated No No No Jeremy Crimm
use of Federal funds
to establish a
Homeland Intelligence
Experts Group, and
for other purposes.
H.R. 5729 would prohibit the use of federal funds to reestablish the Homeland Intelligence Experts Group or any successor program. That group, whose members come from private-
sector entities, advised the Department of Homeland Security on intelligence and counterintelligence activities. The group was disbanded on May 2, 2024. CBO estimates that
enacting H.R. 5729 would not affect direct spending or revenues. CBO has not estimated the bill's effects on spending subject to appropriation. The bill contains no
intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.
H.R. 8119...... PEARL Act............. Ordered reported...... 09/25/24 750 0 0 Not estimated No No No Jeremy Crimm
H.R. 8119 would require Customs and Border Protection to establish a pilot program to adopt dogs from local animal shelters and train them for its therapy dog program. Under
the bill, the program would terminate three years after enactment. CBO estimates that enacting H.R. 8119 would not affect direct spending or revenues. CBO has not estimated
the bill's effects on spending subject to appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.
H.R. 9469...... Pipeline Security Act. Ordered reported...... 09/25/24 400 0 0 Not estimated No No Yes Emma Uebelhor
H.R. 9469 would codify the Transportation Security Administration's responsibility to protect pipelines from terrorists and cybersecurity threats. The bill would require that
agency to report to the Congress on implementing the bill and would direct the Government Accountability Office to review the implementation within two years of enactment.
CBO estimates that enacting H.R. 9469 would not affect direct spending or revenues. CBO has not estimated the bill's effects on spending subject to appropriation. The bill
would impose a private-sector mandate as defined in the Unfunded Mandates Reform Act (UMRA). Because the cost of the mandate would depend on regulations yet to be published,
CBO cannot determine whether the cost would exceed the threshold established in UMRA for private-sector mandates ($200 million in 2024, adjusted annually for inflation). The
bill contains no intergovernmental mandates as defined in UMRA.
H.R. 9668...... SHIELD Against CCP Act Ordered reported...... 09/25/24 750 0 0 Not estimated No No No Jeremy Crimm
H.R. 9668 would require the Department of Homeland Security (DHS) to establish an interagency working group to assess the department's efforts to combat terrorist,
cybersecurity, border, port, and transportation security threats posed by the government of China. The bill would require DHS to report to the Congress annually on the
working group's activities and require the Government Accountability Office to report to the Congress on the bill's implementation. H.R. 9668 also would require DHS to
enhance its situational awareness concerning threats posed by the government of China. CBO estimates that enacting H.R. 9668 would not affect direct spending or revenues. CBO
has not estimated the bill's effects on spending subject to appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded
Mandates Reform Act.
H.R. 9689...... DHS Cybersecurity Ordered reported...... 09/25/24 050 0 0 Not estimated No No No Aldo Prosperi
Internship Program
Act.
H.R. 9689 would require the Department of Homeland Security to establish a cybersecurity internship program. CBO estimates that enacting H.R. 9689 would not affect direct
spending or revenues. CBO has not estimated the bill's effects on spending subject to appropriation. The bill contains no intergovernmental or private-sector mandates as
defined in the Unfunded Mandates Reform Act.
H.R. 9731...... Special Interest Alien Ordered reported...... 09/25/24 750 0 0 Not estimated No No No Jeremy Crimm
Reporting Act of 2024.
H.R. 9731 would require the Department of Homeland Security to report to the Congress monthly on the number of aliens (non-U.S. nationals) it encounters who pose a national
security risk. CBO estimates that enacting H.R. 9731 would not affect direct spending or revenues. CBO has not estimated the bill's effects on spending subject to
appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.
H.R. 9748...... Research Security and Ordered reported...... 09/25/24 750 0 0 Not estimated No No No Jeremy Crimm
Accountability in DHS
Act.
H.R. 9748 would require the Department of Homeland Security (DHS) to develop a policy to protect its research and development projects from unauthorized access or disclosure.
The bill also would require the Government Accountability Office to report to the Congress within one year of enactment on DHS's compliance with governmentwide policies to
protect research and development. CBO estimates that enacting H.R. 9748 would not affect direct spending or revenues. CBO has not estimated the bill's effects on spending
subject to appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.
H.R. 9749...... A bill to amend the Ordered reported...... 09/25/24 750 0 0 Not estimated No No No Jeremy Crimm
Homeland Security Act
of 2002 to abolish
the reorganization
authority of the
Department of
Homeland Security,
and for other
purposes.
H.R. 9749 would prohibit the Department of Homeland Security (DHS) from establishing, consolidating, or discontinuing organizational units and reallocating functions within
component units. Under current law, DHS is authorized to conduct those activities after providing notice to the Congress. CBO estimates that enacting H.R. 9749 would not
affect direct spending or revenues. CBO has not estimated the bill's effects on spending subject to appropriation. The bill contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
H.R. 9752...... Tren de Aragua Ordered reported...... 09/25/24 750 0 0 Not estimated No No No Jeremy Crimm
Southwest Border
Security Threat
Assessment Act.
H.R. 9752 would require the Department of Homeland Security to report to the Congress on countering threats on the southwestern U.S. border posed by the Tren de Aragua
organization. CBO estimates that enacting H.R. 9752 would not affect direct spending or revenues. CBO has not estimated the bill's effects on spending subject to
appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.
H.R. 9768...... Joint Cyber Defense Ordered reported...... 09/25/24 050 0 0 Not estimated No No No Aldo Prosperi
Collaborative Act.
H.R. 9768 would codify the activities of the Cybersecurity and Infrastructure Security Agency related to analyzing and sharing cybersecurity threat information with federal,
state, and private-sector entities. CBO estimates that enacting H.R. 9768 would not affect direct spending or revenues. CBO has not estimated the bill's effects on spending
subject to appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.
H.R. 9769...... Strengthening Cyber Ordered reported...... 09/25/24 050 0 0 Not estimated No No No Aldo Prosperi
Resilience Against
State-Sponsored
Threats Act.
H.R. 9769 would establish an interagency task force to detect, analyze, and respond to state-sponsored cybersecurity threats. The bill also would require the task force to
report annually to the Congress on the findings and actions of the task force. CBO estimates that enacting H.R. 9769 would not affect direct spending or revenues. CBO has not
estimated the bill's effects on spending subject to appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates
Reform Act.
H.R. 9770...... Cyber PIVOTT Act...... Ordered reported...... 09/25/24 050 0 0 Not estimated No No No Aldo Prosperi
H.R. 9770 would require the Cybersecurity and Infrastructure Security Agency to establish scholarships and training opportunities for students enrolled in cybersecurity
associate's degree or certification programs. The bill also would require students who participate in the scholarship program to serve for two years in a federal, state, or
local government position. CBO estimates that enacting H.R. 9770 would not affect direct spending or revenues. CBO has not estimated the bill's effects on spending subject to
appropriation. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
FEDERAL MANDATES STATEMENT
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act of 1995.
DUPLICATIVE FEDERAL PROGRAMS
Pursuant to clause 3(c) of rule XIII, the Committee finds
that H.R. 9769 does not contain any provision that establishes
or reauthorizes a program known to be duplicative of another
Federal program.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
Pursuant to clause 3(c)(4) of rule XIII, the objective of
H.R. 9769 is to ensure the security and integrity of United
States critical infrastructure by establishing an interagency
task force and requiring a comprehensive report on the
targeting of United States critical infrastructure by People's
Republic of China state-sponsored cyber actors.
CONGRESSIONAL EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF
BENEFITS
In compliance with rule XXI, this bill, as reported,
contains no congressional earmarks, limited tax benefits, or
limited tariff benefits as defined in clause 9(d), 9(e), or
9(f) of rule XXI.
ADVISORY COMMITTEE STATEMENT
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
APPLICABILITY TO THE LEGISLATIVE BRANCH
The Committee finds that H.R. 9769 does not relate to the
terms and conditions of employment or access to public services
or accommodations within the meaning of section 102(b)(3) of
the Congressional Accountability Act.
SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION
Section 1. Short title
This section states that the Act may be cited as the
``Strengthening Cyber Resilience Against State-Sponsored
Threats Act.''
Section 2. Interagency task force and report on the targeting of United
States critical infrastructure by People's Republic of China
state-sponsored cyber actors
This section directs the Secretary of Homeland Security,
acting through the Director of CISA, in consultation with the
Attorney General, the Director of the FBI, and the heads of
appropriate SRMAs, to establish an interagency task force to
facilitate collaboration and coordination among the SRMAs to
detect, analyze, and respond to the cybersecurity threat posed
by state-sponsored cyber actors, including Volt Typhoon, of the
People's Republic of China (PRC).
Furthermore, this section designates the Director of CISA
as the chair of the task force and the FBI Director as the
vice-chair. The task force will be composed of representatives
from relevant Federal departments and agencies. Representatives
must possess subject matter expertise in areas such as
cybersecurity, digital forensics, threat intelligence analysis,
and the tactics, techniques, and procedures (TTPs) commonly
used by PRC state-sponsored actors like Volt Typhoon.
To prevent redundancy, this section provides flexibility
for the task force to coordinate with existing groups or
efforts that have already examined or responded to similar
cybersecurity threats. This ensures that resources are
efficiently allocated, and that duplication of efforts is
minimized.
Under this section, the task force is also required to
report its findings to Congress. The initial report must be
submitted within 540 days of the task force's establishment,
with annual reports to follow for the next five years. These
reports will assess sector-specific risks, identify trends in
cyber incidents, and provide insights into the TTPs used by
state-sponsored actors. The reports will also address the
potential impact on U.S. critical infrastructure and provide
recommendations for improving defenses against these threats.
Some portions of the reports, especially those related to
sensitive intelligence, will be classified. However, each
report will include an unclassified executive summary that will
be publicly available on the Department of Homeland Security's
website.
In addition to regular reports, the task force is required
to deliver classified briefings to Congress within 30 days of
each report submission. These briefings will allow for deeper
discussion on the task force's findings and recommendations.
This section clarifies that the task force will exist only
as long as necessary to fulfill its purpose. It will terminate
60 days after delivering its final classified briefing to
Congress. This ensures that the task force remains focused and
does not become a permanent entity. Importantly, the task force
is exempt from the Federal Advisory Committee Act and the
Paperwork Reduction Act, allowing it to operate with greater
flexibility and without procedural delays.
Finally, this section provides clear definitions of key
terms, such as ``critical infrastructure,'' and ``cybersecurity
threat,'' among others. These definitions are intended to align
with existing legal frameworks and provide clarity for how the
task force should operate.